Betterment transforms its security vulnerability management program with DX

Betterment, an award-winning wealth management platform, operates in a tightly regulated industry where security and compliance are non-negotiable. “We’re a regulated industry, so security is paramount,” says Chris LoPresto, Senior Director of Engineering. Betterment’s security practice is extensive and aims to keep customers safe through programs covering everything from appsec to infosec and beyond. Together, the programs and their fundamental engineering practice provide defense in depth against any manner of bad security outcomes, including third-party library exploits. Managing that practice requires a lot of care and feeding, which invites opportunities for automation and creativity. “Third-party library vulnerabilities are a fact of life, and everyone here is committed to leading a top-notch product and infra-security practice that minimizes their impact. But the process to meet our tight remediation SLAs hasn’t always been frictionless.”

Previously, vulnerability tracking required significant manual work. Security vulnerabilities were surfaced through GitHub Dependabot reporting, but team coordination relied on custom scripts, spreadsheets, and recurring meetings. “We’ve always had a strong culture of accountability,” LoPresto explains. “But without visibility, we ran into two problems. Sometimes teams didn’t initially realize they were responsible for something, and you can’t act on what you can’t see. Other times, they knew they owned it, but the scale of the problem felt overwhelming. We scheduled meetings to unstick things, but to free up headspace for more creative security work, we decided we needed to replace those meetings with something better.”

To improve visibility, Betterment initially built a stopgap solution using DX’s Data Studio. Since the company had already been using DX for engineering analytics, leveraging Data Studio to create custom dashboards from existing integrations was a natural first step. “When we turned on the data connector for Dependabot in DX, I was able to replace basically everything we’d been doing manually,” he recalls. “I built a proof of concept on my train ride home, and by the next day, we had superior reporting compared to anything we’d achieved over the past few years.”

The Data Studio proof of concept solved the visibility problem, giving teams real-time, accurate reporting across all repositories. “It got data in front of people. Once teams could see what needed to be done, they jumped in immediately,” says LoPresto. It also took away some of the hesitation around ownership. But the best part was how it helped our platform team spot where teams were really stuck. That’s when platform engineers started stepping in, saying, ‘We’ve got this.’ That kind of ownership shift was incredible to see.”

After the Data Studio proof of concept proved its worth, LoPresto and his team made the case to invest in a more complete, scalable solution. “Using Data Studio was our hand-rolled version of what we knew DX could deliver natively,” he says. “It showed the value of real-time ownership visibility, but we didn’t want to maintain it ourselves.” With DX’s software catalog and scorecards, Betterment gained that same visibility out of the box, along with automated checks, ownership mapping, and SLA tracking—all built on a platform designed for continuous improvement.

Today, Betterment’s security vulnerability management program runs largely on its own. Most issues are resolved directly by service owners, while the platform team supports more complex problems or issues that affect multiple teams. “About 80% of library vulnerabilities are now addressed by product teams themselves,” says LoPresto. “For the remaining 20%, the more complex ones, our platform team steps in to help.” He adds, “We went green and have stayed green.”

Looking ahead, Betterment is expanding its use of DX’s scorecards across other evergreen programs, from pen testing to accessibility efforts, with Q4 OKRs to establish automated controls for cataloging ever-evolving team ownership for 100% of source code. More broadly, DX has become the foundation for running a security vulnerability program that matches the rigor their regulated industry demands, without the manual burden that once came with it.